34C3: Reverse Engineering FPGAs

We once knew a guy who used to tell us that the first ten times he flew in an airplane, he jumped out of it. It was his eleventh flight before he walked off the plane. [Mathias Lasser] has a similar story. Despite being one of the pair who decoded the iCE40 bitstream format a few years ago, he admits in his 34C3 talk that he never learned how to use FPGAs. His talk covers how he reverse engineered the iCE40 and the Xilinx 7 series devices. You can see the video, below.

If you are used to FPGAs in terms of Verilog and VHDL, [Mathias] will show you a whole new view of rows, columns, and tiles. Even if you don’t ever plan to work at that level, sometimes understanding hardware at the low level will inspire some insights that are harder to get at the abstraction level.

In theory, the reverse engineering ought not be that hard. The device has some amount of resources and the bitstream identifies how those resources connect together and maybe program some lookup tables. In practice, though, it is difficult because there is virtually no documentation, including details about the resources you need to know at that level.

For example, in the video, you can see Lattice’s diagram for a logic cell. There are several options to do things like bypass the flip flop, set the look-up table, and so on. There’s any number of options available to set that configuration and that doesn’t even address how to connect the inputs and outputs to the routing resources.

Of course, you know he managed the iCE40 decoding since he and [Clifford Wolf] did the work behind the open source Lattice toolchain. We even used that toolchain in several of our FPGA tutorials.



from Hackaday http://ift.tt/2mGj7AE
via IFTTT